Privacy Act of 1974; New System of Records, 69922-69924 [2023-22384]

Agencies

• Export-Import Bank

[Federal Register Volume 88, Number 194 (Tuesday, October 10, 2023)]
[Notices]
[Pages 69922-69924]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-22384]


-----------------------------------------------------------------------

EXPORT-IMPORT BANK


Privacy Act of 1974; New System of Records

AGENCY: Export Import Bank of the United States.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, the Export Import Bank of 
the United States (``EXIM'', ``EXIM Bank'', or ``The Bank'') is 
proposing a new system of records notice (``SORN''). EXIM Bank is 
proposing a new system of records--EXIM AgilQuest. This new SORN will 
include the authorities for maintenance of the system, the purposes of 
the system, and the categories of entities and individuals covered by 
the system. The new system of records described in this notice, EXIM 
AgilQuest, will collect information for current employees and 
contractors of the Bank to support a hybrid (onsite & telework) working 
environment.

DATES: The system of records described herein will become effective 
October 10, 2023. The deadline to submit comments on this system of 
records, as well as the date on which the below routine uses will 
become effective, will be 30 days after Federal Register publication.

ADDRESSES: You may submit written comments to EXIM Bank by any of the 
following methods:

[[Page 69923]]

     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the website instructions for submitting comments.
     Email: [email protected]. Refer to SORN in the 
subject line.
     Mail or Hand Delivery: Address letters to the Freedom of 
Information Act Office and the Office of Information Management and 
Technology, Export Import Bank of the United States, 811 Vermont Ave. 
NW, Washington, DC 20571.
    Commenters are strongly encouraged to submit public comments 
electronically. EXIM Bank expects to have limited personnel available 
to process public comments that are submitted on paper through mail. 
Until further notice, any comments submitted on paper will be 
considered to the extent practicable.
    All submissions must include the agency's name (Export Import Bank 
of the United States, or EXIM Bank) and reference this notice. Comments 
received will be posted without change to EXIM Bank's website. Do not 
submit comments that include any Personally Identifiable Information 
(PII) or confidential business information. Copies of comments may also 
be obtained by writing to the Freedom of Information Act Office and the 
Office of Information Management and Technology, Export Import Bank of 
the United States, 811 Vermont Ave. NW, Washington, DC 20571.

FOR FURTHER INFORMATION CONTACT: The Office of the General Counsel, 
Administrative Law Group at [email protected], or by calling 202-
565-3168, or by going to https://www.exim.gov/about/freedom-information-act/privacy-act-requests/pia-notices-assessments.

SUPPLEMENTARY INFORMATION: The new system of records described in this 
notice, EXIM AgilQuest, will store certain information of current 
employees and contractors of the Bank to support a hybrid (onsite & 
telework) working environment. The report of a new system of records 
has been submitted to the Committee on Oversight and Government Reform 
of the House of Representatives, the Committee on Homeland Security and 
Governmental Affairs of the Senate, and the Office of Management and 
Budget, pursuant to OMB Circular A-108, ``Federal Agency 
Responsibilities for Review, Reporting, and Publication under the 
Privacy Act'' (Dec. 2016) and the Privacy Act, 5 U.S.C. 552a(r).

SYSTEM NAME AND NUMBER:
    System Name: EXIM AgilQuest, System Number: N/A

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    This electronic system will be used via a web interface and mobile 
application by the Export Import Bank of the United States, 811 Vermont 
Avenue NW, Washington, DC 20571. The physical location and technical 
operation of the system is at the FedRAMP Authorized Amazon Web 
Services (AWS) cloud services facility at 410 Terry Ave N, Seattle, WA 
98109-5210.

SYSTEM MANAGER(S):
    Tomeka Wray, Vice President of Operations, EXIM Bank, 811 Vermont 
Avenue NW, Washington, DC 20571, [email protected], 202-565-3996.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Export-Import Bank Act of 1945, as amended (12 U.S.C. 635 et 
seq.).\1\ 5 U.S.C. 301.
---------------------------------------------------------------------------

    \1\ More specifically, sections 635(a)(1) and 635a(j)(1)(C) of 
the Export-Import Bank Act of 1945, as amended.
---------------------------------------------------------------------------

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system of records is to facilitate the hybrid 
workforce environment by allowing EXIM employees and contractors to 
reserve agency workspaces such as ``Touchdown Spaces'', ``Collaboration 
Spaces/Meeting Rooms'', and Information Technology (IT) assets. The 
system will provide employees with increased flexibility and access to 
workspaces while providing the agency with space utilization 
information to make data-driven decisions for facilities operations and 
capital planning.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The EXIM AgilQuest system will contain information on EXIM current 
employees and contractors.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The EXIM AgilQuest system will contain Personally Identifiable 
Information (PII) of EXIM current employees and contractors, necessary 
to obtain an account and reserve workspaces relevant to their division 
and job functions. Records maintained in this system may contain 
employee and contractor information including, but not limited to, 
name, agency email address, agency phone number, location (e.g., EXIM 
Headquarters or satellite location), and organization/division/office 
of assignment. Individuals may voluntarily provide additional contact 
information through the EXIM AgilQuest online portal such as picture, 
preferred name, additional phone numbers, and EXIM work groups.

RECORD SOURCE CATEGORIES:
    Information in this system is obtained using one of three methods: 
manual entry by an administrator user, direct database connection to 
supply the required information, and through employee or contractor 
entry of optional data to their individual profile.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures that are generally permitted under 
5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed to authorized 
entities, as is determined to be relevant and necessary, outside EXIM 
as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    1. Appropriate agencies, entities, and persons when (a) the Bank 
suspects or has confirmed that there has been a breach of the system of 
records; (b) the Bank has determined that as a result of the suspected 
or confirmed breach there is a risk of harm to individuals, the Bank 
(including its information systems, programs, and operations), the 
Federal Government, or national security; and (c) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the Bank's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    2. Another Federal agency or Federal entity, when the Bank 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (a) responding to 
a suspected or confirmed breach or (b) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.
    3. The Office of the President in response to an inquiry from that 
office made at the request of the subject of a record or a third party 
on that person's behalf.
    4. Congressional offices in response to an inquiry made at the 
request of the individual to whom the record pertains.
    5. Contractors or other authorized individuals performing work on a 
contract, service, cooperative agreement, job, or other activity on 
behalf of the

[[Page 69924]]

Bank or Federal Government and who have a need to access the 
information in the performance of their duties or activities.
    6. The U.S. Department of Justice (DOJ) for its use in providing 
legal advice to the Bank or in representing the Bank in a proceeding 
before a court, adjudicative body, or other administrative body, where 
the use of such information by the DOJ is deemed by the Bank to be 
relevant and necessary to the advice or proceeding, and in the case of 
a proceeding, such proceeding names as a party in interest: (a) The 
Bank; (b) Any employee of the Bank in his or her official capacity; (c) 
Any employee of the Bank in his or her individual capacity where DOJ 
has agreed to represent the employee; or (d) The United States, where 
the Bank determines that litigation is likely to affect the Bank or any 
of its components.
    7. A court, magistrate, or administrative tribunal during an 
administrative proceeding or judicial proceeding, including disclosures 
to opposing counsel or witnesses (including expert witnesses) during 
discovery or other pre-hearing exchanges of information, litigation, or 
settlement negotiations, where relevant and necessary to a proceeding, 
or in connection with criminal law proceedings.
    8. Appropriate Federal, State, local, foreign, tribal, or self-
regulatory organizations or agencies responsible for investigating, 
prosecuting, enforcing, implementing, issuing, or carrying out a 
statute, rule, regulation, order, policy, or license if the record 
indicates a violation or a potential violation of civil or criminal 
law, rule, regulation, order, policy, or license.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The records are stored digitally in encrypted format in the 
AgilQuest Amazon Web Services (AWS) FedRAMP authorized cloud 
environment. AgilQuest encrypts EXIM's sensitive information (such as 
employee or contractor first name, last name, and email address) at 
rest and stores it in Amazon Relational Database Service (RDS) AWS 
databases. Data in transit is encrypted via TLS. AgilQuest also 
leverages AWS Key Management Service (KMS) to encrypt data and restrict 
access based on user roles and job functions. AgilQuest complies with 
EXIM policy which stipulates that sensitive data generated from 
AgilQuest must be stored on EXIM's Microsoft OneDrive and SharePoint 
site that are managed and protected by EXIM's Infrastructure General 
Support System administrative, technical, and physical controls.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records may be retrieved by other users by using the employee's 
name. Records may be retrieved by administrator/superusers by the 
following: first or preferred name, last name, email address, Location 
(e.g., Headquarters or satellite location), and user role. Information 
may additionally be retrieved by other personal identifiers by user 
account maintenance programs within the application.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are archived/disposed of during the routine data sync for 
individuals who are no longer employees or contractors of EXIM. 
Otherwise, records are maintained and destroyed in accordance with the 
National Archives and Record Administration's (``NARA'') Basic Laws and 
Authorities (44 U.S.C. 3301, et seq.) or an EXIM Bank records 
disposition schedule approved by NARA.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Information will be stored in electronic format within the 
AgilQuest Cloud Service Provider (CSP) Amazon Web Service (AWS). EXIM 
AgilQuest has configurable, layered user accounts and permissions 
features to ensure users have only the proper access necessary to 
perform their duties. Access to EXIM AgilQuest is restricted to EXIM 
employees and contractors who need it for their job functions. 
Authorized users have access only to the data and functions required to 
perform their job functions. AgilQuest uses AWS Key Management Service 
(KMS), a managed service for AgilQuest to create and control the 
cryptographic keys that are used to protect EXIM data. AWS KMS uses 
hardware security modules (HSM) to protect and validate AWS KMS keys 
under the FIPS 140-2 Cryptographic Module Validation Program (https://csrc.nist.gov/projects/cryptographic-module-validation-program) to 
implement cryptography for data at rest. AWS KMS enables AgilQuest to 
maintain control over who can use AgilQuest AWS KMS keys and gain 
access to EXIM encrypted data. Keys distributions are only permitted on 
the AWS Console Layer. Lost or corrupted keys are managed by AWS KMS. 
EXIM AgilQuest which is hosted in AWS as a Software-as-a-Service 
application inherits all the administrative, technical, and physical 
controls offered by AWS and the EXIM Infrastructure General Support 
System.
    AgilQuest CSP, is compliant with the Federal Risk and Authorization 
Management Program (FedRAMP). The PII information in EXIM AgilQuest is 
encrypted and stored in AWS, and the Hypertext Transfer Protocol Secure 
(HTTPS) protocol is used to access EXIM AgilQuest.

RECORD ACCESS PROCEDURES:
    Requests to access records under the Privacy Act must be submitted 
in writing and must be signed by the requestor. Requests should be 
addressed to the Freedom of Information Act Office and the Office of 
Information Management and Technology, Export Import Bank of the United 
States, 811 Vermont Ave. NW, Washington, DC 20571. The request must 
comply with the requirements of 12 CFR 404.14.

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest and/or amend records under the 
Privacy Act must submit a request in writing. The request must be 
signed by the requestor and should be addressed to the Freedom of 
Information Act Office and the Office of Information Management and 
Technology, Export Import Bank of the United States, 811 Vermont Ave. 
NW, Washington, DC 20571. The request must comply with the requirements 
of 12 CFR 404.14.

NOTIFICATION PROCEDURES:
    Individuals wishing to determine whether this system of records 
contains information about them may do so by submitting a written 
request to the Freedom of Information Act Office and the Office of 
Information Management and Technology, Export Import Bank of the United 
States, 811 Vermont Ave. NW, Washington, DC 20571. The written request 
must include the following:
    1. Name.
    2. Type of information requested.
    3. Address to which the information should be sent.
    4. Signature.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

Export-Import Bank of the U.S.
Christopher Sutton,
Chief Information Security Officer (CISO) and Chief Privacy Officer 
(CPO), IT Security Systems & Assurance Unit.
[FR Doc. 2023-22384 Filed 10-6-23; 8:45 am]
BILLING CODE 6690-01-P